xref: /freebsd/tests/sys/capsicum/bindat_connectat.c (revision 4543ef516683042d46f3bd3bb8a4f3f746e00499) 
1 /*
2  * Copyright (c) 2017 Jan Kokemüller
3  *
4  * Redistribution and use in source and binary forms, with or without
5  * modification, are permitted provided that the following conditions
6  * are met:
7  * 1. Redistributions of source code must retain the above copyright
8  *    notice, this list of conditions and the following disclaimer.
9  * 2. Redistributions in binary form must reproduce the above copyright
10  *    notice, this list of conditions and the following disclaimer in the
11  *    documentation and/or other materials provided with the distribution.
12  *
13  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
14  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
15  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
16  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
17  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
18  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
19  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
20  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
21  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
22  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
23  * SUCH DAMAGE.
24  */
25 
26 #include <sys/param.h>
27 #include <sys/capsicum.h>
28 #include <sys/socket.h>
29 #include <sys/sysctl.h>
30 #include <sys/stat.h>
31 
32 #include <netinet/in.h>
33 #include <arpa/inet.h>
34 
35 #include <atf-c.h>
36 #include <dlfcn.h>
37 #include <errno.h>
38 #include <stdarg.h>
39 #include <stdlib.h>
40 #include <string.h>
41 
42 #include "freebsd_test_suite/macros.h"
43 
44 static int rootfd = -1;
45 
46 /* circumvent bug 215690 */
47 int
48 open(const char *path, int flags, ...)
49 {
50 	mode_t mode = 0;
51 
52 	if (flags & O_CREAT) {
53 		va_list ap;
54 		va_start(ap, flags);
55 		mode = (mode_t) va_arg(ap, int);
56 		va_end(ap);
57 	}
58 
59 	if (path && path[0] == '/' && rootfd >= 0) {
60 		return (openat(rootfd, path + 1, flags, mode));
61 	} else {
62 		return (openat(AT_FDCWD, path, flags, mode));
63 	}
64 }
65 
66 static void
67 check_capsicum(void)
68 {
69 	ATF_REQUIRE_FEATURE("security_capabilities");
70 	ATF_REQUIRE_FEATURE("security_capability_mode");
71 
72 	ATF_REQUIRE((rootfd = open("/", O_EXEC | O_CLOEXEC)) >= 0);
73 }
74 
75 typedef int (*socket_fun)(int, const struct sockaddr *, socklen_t);
76 
77 static int
78 connectat_fdcwd(int s, const struct sockaddr *name, socklen_t namelen)
79 {
80 
81 	return (connectat(AT_FDCWD, s, name, namelen));
82 }
83 
84 static int
85 bindat_fdcwd(int s, const struct sockaddr *name, socklen_t namelen)
86 {
87 
88 	return (bindat(AT_FDCWD, s, name, namelen));
89 }
90 
91 
92 ATF_TC(bindat_connectat_1);
93 ATF_TC_HEAD(bindat_connectat_1, tc)
94 {
95 	atf_tc_set_md_var(tc, "descr",
96 	    "Verify that connect/bind work in normal case");
97 }
98 
99 static void
100 check_1(socket_fun f, int s, const struct sockaddr_in *name)
101 {
102 
103 	ATF_REQUIRE((s = socket(AF_INET, SOCK_STREAM, 0)) >= 0);
104 	ATF_REQUIRE_ERRNO(EAFNOSUPPORT,
105 	    f(s, (const struct sockaddr *)(name),
106 	        sizeof(struct sockaddr_in)) < 0);
107 }
108 
109 ATF_TC_BODY(bindat_connectat_1, tc)
110 {
111 	struct sockaddr_in sin;
112 
113 	memset(&sin, 0, sizeof(sin));
114 	sin.sin_family = AF_INET;
115 	sin.sin_port = htons(0);
116 	sin.sin_addr.s_addr = htonl(0xE0000000);
117 
118 	check_1(bindat_fdcwd, 0, &sin);
119 	check_1(bind, 0, &sin);
120 	check_1(connectat_fdcwd, 0, &sin);
121 	check_1(connect, 0, &sin);
122 }
123 
124 
125 ATF_TC(bindat_connectat_2);
126 ATF_TC_HEAD(bindat_connectat_2, tc)
127 {
128 	atf_tc_set_md_var(tc, "descr",
129 	    "Verify that connect/bind are disabled in cap-mode");
130 }
131 
132 static void
133 check_2(socket_fun f, int s, const struct sockaddr_in *name)
134 {
135 
136 	ATF_REQUIRE_ERRNO(ECAPMODE,
137 	    f(s, (const struct sockaddr *)name,
138 	        sizeof(struct sockaddr_in)) < 0);
139 }
140 
141 ATF_TC_BODY(bindat_connectat_2, tc)
142 {
143 	int sock;
144 	struct sockaddr_in sin;
145 
146 	check_capsicum();
147 
148 	ATF_REQUIRE(cap_enter() >= 0);
149 
150 	/* note: sock is created _after_ cap_enter() and contains all rights */
151 	ATF_REQUIRE((sock = socket(AF_INET, SOCK_STREAM, 0)) >= 0);
152 
153 	memset(&sin, 0, sizeof(sin));
154 	sin.sin_family = AF_INET;
155 	/* dummy port and multicast address (224.0.0.0) to distinguish two
156 	 * cases:
157 	 *  - ECAPMODE/ENOTCAPABLE --> call blocked by capsicum
158 	 *  - EAFNOSUPPORT --> call went through to protocol layer
159 	 */
160 	sin.sin_port = htons(0);
161 	sin.sin_addr.s_addr = htonl(0xE0000000);
162 
163 	check_2(bindat_fdcwd, sock, &sin);
164 	check_2(bind, sock, &sin);
165 	check_2(connectat_fdcwd, sock, &sin);
166 	check_2(connect, sock, &sin);
167 }
168 
169 
170 ATF_TC(bindat_connectat_3);
171 ATF_TC_HEAD(bindat_connectat_3, tc)
172 {
173 	atf_tc_set_md_var(tc, "descr",
174 	    "Check that taking away CAP_BIND/CAP_CONNECT "
175 	    "sabotages bind/connect");
176 }
177 
178 static void
179 check_3(socket_fun f, int s, const struct sockaddr_in *name,
180     cap_rights_t *rights, cap_rights_t *sub_rights)
181 {
182 
183 	ATF_REQUIRE((s = socket(AF_INET, SOCK_STREAM, 0)) >= 0);
184 	ATF_REQUIRE(cap_rights_limit(s, rights) >= 0);
185 	ATF_REQUIRE_ERRNO(EAFNOSUPPORT,
186 	    f(s, (const struct sockaddr *)name,
187 	        sizeof(struct sockaddr_in)) < 0);
188 	ATF_REQUIRE(cap_rights_limit(s,
189 	                cap_rights_remove(rights, sub_rights)) >= 0);
190 	ATF_REQUIRE_ERRNO(ENOTCAPABLE,
191 	    f(s, (const struct sockaddr *)name,
192 	        sizeof(struct sockaddr_in)) < 0);
193 }
194 
195 ATF_TC_BODY(bindat_connectat_3, tc)
196 {
197 	struct sockaddr_in sin;
198 	cap_rights_t rights, sub_rights;
199 
200 	check_capsicum();
201 
202 	memset(&sin, 0, sizeof(sin));
203 	sin.sin_family = AF_INET;
204 	sin.sin_port = htons(0);
205 	sin.sin_addr.s_addr = htonl(0xE0000000);
206 
207 	check_3(bindat_fdcwd, 0, &sin,
208 	    cap_rights_init(&rights, CAP_SOCK_SERVER),
209 	    cap_rights_init(&sub_rights, CAP_BIND));
210 	check_3(bind, 0, &sin,
211 	    cap_rights_init(&rights, CAP_SOCK_SERVER),
212 	    cap_rights_init(&sub_rights, CAP_BIND));
213 	check_3(connectat_fdcwd, 0, &sin,
214 	    cap_rights_init(&rights, CAP_SOCK_CLIENT),
215 	    cap_rights_init(&sub_rights, CAP_CONNECT));
216 	check_3(connect, 0, &sin,
217 	    cap_rights_init(&rights, CAP_SOCK_CLIENT),
218 	    cap_rights_init(&sub_rights, CAP_CONNECT));
219 }
220 
221 
222 ATF_TP_ADD_TCS(tp)
223 {
224 
225 	ATF_TP_ADD_TC(tp, bindat_connectat_1);
226 	ATF_TP_ADD_TC(tp, bindat_connectat_2);
227 	ATF_TP_ADD_TC(tp, bindat_connectat_3);
228 
229 	return (atf_no_error());
230 }
231